Received: by 2002:ab2:3141:0:b0:1ed:23cc:44d1 with SMTP id i1csp1996980lqg;
        Mon, 4 Mar 2024 09:39:17 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCUEAFIfVlF2tvnArr7J40tGSVikICumVdWNowsmma/N/jJLERQhWwTfi3LDJZfDQYzjWiGpFo4Yplfdto58D+MMr+uPNUWpH7R/vn2vjA==
X-Google-Smtp-Source: AGHT+IHTunPrsBYFrvLwjLFOHq878oL1XvX3K5WV/FmBXWdwr6uMr6pqz4Hr9EyByBcJVRxCPbEG
X-Received: by 2002:a17:90a:fa98:b0:29a:8b5a:892a with SMTP id cu24-20020a17090afa9800b0029a8b5a892amr7995489pjb.39.1709573956820;
        Mon, 04 Mar 2024 09:39:16 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709573956; cv=pass;
        d=google.com; s=arc-20160816;
        b=cPL3iY431+xwIHPHpr/KtGHTpE1HBV5OK6D93bRWCds4kcj0p6tvXWQkg9Zd7lQtnA
         EX8mXwOC//3+axjVNaVQtdQG4++eE+2W8sysl1ZymaybQkxwgWBWHKj2h/7QXEX4ic4i
         YFvEw2jxR8ecBY/TwbIccsfqrkO1bumYgRLKXK+tEaKjeu99oSMiAArXjhDJ+5iDrAWF
         yjflBtS20jk2z6ujp9nGIaTRD7xz0xAV2hXMFNXLDcgkTzYb/xGURNlhv1npLj1Vq61G
         o00Go8CabseFu5Wox5bfEItKAASzublwycvUXvMmrfG0BtT3HdWXQ/P0DPW2pDsVoZuj
         zzAg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version
         :list-unsubscribe:list-subscribe:list-id:precedence:references
         :message-id:subject:cc:to:from:date;
        bh=S7I+lf2x+iHmi/feTlPSVLLLgP3FmgHiNM1GCShg0PM=;
        fh=98KwVV8RpDNth19YVoL1G0g1wneJOt7kGhMv/1sMvIU=;
        b=cLZ7LQrilDgrCi+BrdjQr6yfP/DCTmlAxhUVZnvZ8wWi7+Kasy0AV04dyFhIOG6Agn
         SAh3km1cS6R+bBEef+LZJ3u7u9wzxPRDQrW1m1/lfAdfbX2gRBqOW78P5Ck0iZQAf9B1
         wnwPprz0CqkzK0wSgobKSnd7ZBd6sLYvqr6Zc39YdxONe/ou3QmpqQuTW+OSz+jqoyX5
         Orp4JjcKcF0DRzN414yp7V3D918txmHRVBOVxt125/pOjOi5mgXtxTFjpU1AlmrN1Gnl
         gM3S0joJyxVt6JhE0CoLQHazBb09EI46LXvSqB3CQyFriiXI3lVF6ThzEbbar2m+ED6f
         FPFg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=communityfibre.ca);
       spf=pass (google.com: domain of linux-kernel+bounces-90978-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-90978-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-90978-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id lp18-20020a17090b4a9200b0029b5819242csi1025376pjb.162.2024.03.04.09.39.16
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 04 Mar 2024 09:39:16 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-90978-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=communityfibre.ca);
       spf=pass (google.com: domain of linux-kernel+bounces-90978-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-90978-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 3B918B2737C
	for <linux.lists.archive@gmail.com>; Mon,  4 Mar 2024 17:05:17 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 9DA645FEE4;
	Mon,  4 Mar 2024 17:05:05 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id D28265F578;
	Mon,  4 Mar 2024 17:05:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.233.56.17
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709571905; cv=none; b=fsg8ueFK6BrQQ3cpW3jisO+MM46aIms3a924PgfVAyI8/XHo/7l22COPLzT/Y+9J98tlFRJFXIREy4BMqxW8l9RMutg5aM2fvr5ZjqJqpTdjaijr3Qs4y0huvDQle4Y0VfpV6tUhlIWDpl63yjQwMM5kS/xYW98uxZWPSQJV28g=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709571905; c=relaxed/simple;
	bh=GykyLOySktTcdnN5xj9tScvKWkrbQcuU5PotoD4BMPc=;
	h=Date:From:To:Cc:Subject:Message-ID:References:Mime-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=XoyPemB64Qv01PkzFcqBCOR+q0oBNeaiVO4RoVcm3ewPQTjvXbg6kf3mAdPCjjADvmQEgNcas4IWjw/IHIAQFFkHmxzOJVCm4Cs9RZMEv47T1AiykyZmhBBfEKiv1aAErnbe29VY1E/XnuH75ByPwq6OjWggnOlmuOuhW+zre48=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=communityfibre.ca; spf=pass smtp.mailfrom=communityfibre.ca; arc=none smtp.client-ip=205.233.56.17
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=communityfibre.ca
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=communityfibre.ca
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 09E296B0080; Mon,  4 Mar 2024 12:03:43 -0500 (EST)
Date: Mon, 4 Mar 2024 12:03:43 -0500
From: Benjamin LaHaise <ben@communityfibre.ca>
To: Bart Van Assche <bvanassche@acm.org>
Cc: Edward Adam Davis <eadavis@qq.com>,
	syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com,
	brauner@kernel.org, jack@suse.cz, linux-aio@kvack.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Subject: Re: [PATCH] fs/aio: fix uaf in sys_io_cancel
Message-ID: <20240304170343.GO20455@kvack.org>
References: <0000000000006945730612bc9173@google.com> <tencent_DC4C9767C786D2D2FDC64F099FAEFDEEC106@qq.com> <14f85d0c-8303-4710-b8b1-248ce27a6e1f@acm.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <14f85d0c-8303-4710-b8b1-248ce27a6e1f@acm.org>
User-Agent: Mutt/1.4.2.2i

On Mon, Mar 04, 2024 at 08:15:15AM -0800, Bart Van Assche wrote:
> On 3/3/24 04:21, Edward Adam Davis wrote:
> >The aio poll work aio_poll_complete_work() need to be synchronized with 
> >syscall
> >io_cancel(). Otherwise, when poll work executes first, syscall may access 
> >the
> >released aio_kiocb object.
> >
> >Fixes: 54cbc058d86b ("fs/aio: Make io_cancel() generate completions again")
> >Reported-and-tested-by: 
> >syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com
> >Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> >---
> >  fs/aio.c | 5 ++---
> >  1 file changed, 2 insertions(+), 3 deletions(-)
> >
> >diff --git a/fs/aio.c b/fs/aio.c
> >index 28223f511931..0fed22ed9eb8 100644
> >--- a/fs/aio.c
> >+++ b/fs/aio.c
> >@@ -1762,9 +1762,8 @@ static void aio_poll_complete_work(struct 
> >work_struct *work)
> >  	} /* else, POLLFREE has freed the waitqueue, so we must complete */
> >  	list_del_init(&iocb->ki_list);
> >  	iocb->ki_res.res = mangle_poll(mask);
> >-	spin_unlock_irq(&ctx->ctx_lock);
> >-
> >  	iocb_put(iocb);
> >+	spin_unlock_irq(&ctx->ctx_lock);
> >  }
> >  
> >  /* assumes we are called with irqs disabled */
> >@@ -2198,7 +2197,6 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, 
> >struct iocb __user *, iocb,
> >  			break;
> >  		}
> >  	}
> >-	spin_unlock_irq(&ctx->ctx_lock);
> >  
> >  	/*
> >  	 * The result argument is no longer used - the io_event is always
> >@@ -2206,6 +2204,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, 
> >struct iocb __user *, iocb,
> >  	 */
> >  	if (ret == 0 && kiocb->rw.ki_flags & IOCB_AIO_RW)
> >  		aio_complete_rw(&kiocb->rw, -EINTR);
> >+	spin_unlock_irq(&ctx->ctx_lock);
> >  
> >  	percpu_ref_put(&ctx->users);

This is just so wrong there aren't even words to describe it.  I
recommending reverting all of Bart's patches since they were not reviewed
by anyone with a sufficient level of familiarity with fs/aio.c to get it
right.

		-ben

> I'm not enthusiast about the above patch because it increases the amount
> of code executed with the ctx_lock held. Wouldn't something like the
> untested patch below be a better solution?
> 
> Thanks,
> 
> Bart.
> 
> 
> diff --git a/fs/aio.c b/fs/aio.c
> index 28223f511931..c6fb10321e48 100644
> --- a/fs/aio.c
> +++ b/fs/aio.c
> @@ -2177,6 +2177,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, 
> struct iocb __user *, iocb,
>  	struct kioctx *ctx;
>  	struct aio_kiocb *kiocb;
>  	int ret = -EINVAL;
> +	bool is_cancelled_rw = false;
>  	u32 key;
>  	u64 obj = (u64)(unsigned long)iocb;
> 
> @@ -2193,6 +2194,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, 
> struct iocb __user *, iocb,
>  	/* TODO: use a hash or array, this sucks. */
>  	list_for_each_entry(kiocb, &ctx->active_reqs, ki_list) {
>  		if (kiocb->ki_res.obj == obj) {
> +			is_cancelled_rw = kiocb->rw.ki_flags & IOCB_AIO_RW;
>  			ret = kiocb->ki_cancel(&kiocb->rw);
>  			list_del_init(&kiocb->ki_list);
>  			break;
> @@ -2204,7 +2206,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, 
> struct iocb __user *, iocb,
>  	 * The result argument is no longer used - the io_event is always
>  	 * delivered via the ring buffer.
>  	 */
> -	if (ret == 0 && kiocb->rw.ki_flags & IOCB_AIO_RW)
> +	if (ret == 0 && is_cancelled_rw)
>  		aio_complete_rw(&kiocb->rw, -EINTR);
> 
>  	percpu_ref_put(&ctx->users);
> 
> 

-- 
"Thought is the essence of where you are now."